Four Steps to Secure your Work from Home Environment

steve.jpg

Author: Steve McGeown, Security Practice Leader, QA Consultants, Toronto, Ontario

Is your home network safe? Are you putting your corporate assets at risk while working from home? At 10 months into the ‘new way to work’ with many more such months on the horizon, QA Consultants shares simple guidelines to secure your work from home environment.

We have all been doing this Work From Home (“WFH”) thing for several months now. Not only work, but also school from home, competition for network bandwidth, shared devices, and conflicting requirements. Let’s start 2021 with a Security Health Check for your home environment. The variety of users, devices, networks, and access points puts us in a fragile position with little support. Applications such as videoconferencing and filesharing are being regularly misconfigured and this misuse can lead to serious personal and organizational security exposure. Advanced email phishing attempts will have plenty of ill-prepared targets if WFH users are not properly prepared.  

Do not be the reason your corporate network has been compromised. 

Conducting business virtually has introduced us to new applications in our separated collaboration and our ‘separate but together’ world.  Coordinating 20, 50, or 100 people into a virtual conference room is hard enough, but many are trying to do the same with families, AND ON YOUR WORK COMPUTER! 

And, we have our home infrastructure…maybe some Wi-Fi router that we bought in 2003, on special, with default settings.  

Reducing your security risk does not have to be overwhelming. The real security threats are not evil mysterious masterminds in hoodies stalking you. No, the real enemy is automation. Bots, bots, and more bots are automatically scanning 365/24 looking for easy entry targets. Once these autonomous bots identify a weak target – YOU – that is when they will attack with their human enablers to monetize your weakness through ransomware, or to attack your organization to steal data and otherwise gain other forms of access. Once in, they use your identity to attack your contacts with that information.  

We recommend four security measures that you can take to secure your WFH environment and increase peace of mind.  Take this approach to elevate your security posture and will keep the bots moving on to another target.

Four Simple Things Image.png

1)    Create and Follow a Work from Home Technology and Security Policy

Champion, build, and follow a company IT WFH policy. Do not hesitate to reach out for remote support from your IT group rather than spin your wheels in frustration. You can rack up hours trying to figure out router or device security settings when best practices can be documented for all.

Here are some key suggestions that you should follow:

a)    No family members on work equipment. And do not do business work on your home equipment. If your company has a VPN, use it. Use company supplied backup mechanisms if available and finally if you are in a bring your own device (“BYOD”) situation you'll need special care to do all of the above, but there should still be a company policy that follows for BYOD.

b)    Everyone is leaning heavily on collaboration tools to achieve office-like productivity including different conferencing and file-sharing tools, etc.  It is best to rely on your company best practices and guidance.  IT can help you manage those vulnerabilities, and they will know which impact all their employees and help you work around. However, one of the most important things is that most of the security vulnerability occurs through user configuration or settings.

c)    “Zoom bombing” is when people hijack your webinars or conference calls and display images or take over the chat feature with objectionable content. Do not publish your meeting links on social media or any public platform. Do not unclick the password requirement and consider using the “waiting-room” where you can validate attendees before allowing them to join the session. Carefully review all settings and configuration for setting up the platform before your sessions.

 2)    Update Your Hardware and Platforms

Now, back to that router you bought in 2003. If you have not upgraded your router in quite some time, chances are the firmware is very much out of date and Wi-Fi routers have had notorious problems with security in the past.  Update your firmware.  Then, remove the default credentials. Manufacturers ship their routers with an admin user ID and default password, and you will need to remove those because everyone in the “dark community” knows about that! Finally, you want to remove or turn off any remote admin access. Make sure there is a hard to guess SSID password – not your name, or address, or any way to know the location or owner of the router. 

For your workstation, laptop(s), tablets, etc., make sure your auto-updates are turned on and working. Some organizations like to control their own Windows Update. Check connections to other devices like printers or other needed peripheral devices. Update your firewall rules to only allow those devices.

You will never need to pay a ransom if your work is backed up! Cloud and local.   Use corporate and personal backups mechanism through a cloud provider and/or a peripheral backup drive.

3)    Passwords

Passwords are the most important of our four recommendations. It is not uncommon for bad actors to set up databases that can generate millions of passwords attempts to gain ‘brute force’ access to a particular system.  It’s very easy to do with an automated army. 

In fact, in one instance where QAC was asked by a client to penetrate a system, we found out that the that there was no actual policy control on passwords and users could put anything they wanted. As it turned out, we cracked over twenty thousand subscriber accounts while only using a database of about a thousand or so passwords. Yes, it is real!

There are only two acceptable means of setting passwords. 

1.    Use a passphrase: A passphrase is simply a phrase, not just a word, that you can remember easily, but is alphanumerically complex. I can even tell you my password, but because I have substituted “zeros” with the letter “O”, etc. or spelled parts out, it is difficult to guess.  It could take thousands attempts to guess and is a complex as a random generated algorithm.  

2.    Use a password manager: The other method is a password manager which will store your strong, cryptic passwords for each system across devices that nobody could ever guess and is all controlled by a single user ID (or your face). 

You should also always consider multi-factor authentication. You are probably familiar with this, especially when you sign on to your bank accounts from different devices.  It is simple to use and it and it supplies so much security to your risk profile. You log in as normal, then the system issues a token or a number via email or a text to your phone and you enter that second factor, so it knows it is you. 

 4)    Protect against Social Engineering (Phishing)

Social engineering has become so sophisticated that even the most cautious, security-conscious of us may be too quick to click on a nefarious link or open a dangerous attachment. COVID-19 and WFH has made phishing more prevalent and dangerous than ever! 

So, what is phishing and how has it become so much more dangerous than the classic Nigerian princess or FedEx scam. The bad guys are customizing their attacks based on doing some homework on your social media presence and the type of work you do. Then, they create a message that looks familiar (Family, Bank, Office) and includes a dangerous embedded link or attachment. All you have to do on a sleepy, early morning is click or open something that suddenly runs code on your machine and then, poof! You are ‘owned’ by them, and ransomware ensues, and all sorts of bad things happen. These communications are very, very, difficult to detect and prevent in any proactive way. 

At the office, there is the dreaded Microsoft Office 365 credentials phishing and the dozens of variants. Here’s where bad actors spoof the Office 365 team and send you and your company’s 365 account members an official-looking email that warns you of a full mailbox. A well-disguised message that suggests clicking on a URL to get an extra number of gigabytes for free.  The primary purpose is to have you click on a fake URL and enter your sign-in credentials and password.   

Our strongest, failsafe recommendation regarding URL links is to never click on them directly within the email. Do not click links even from known contacts as it could have been sent from an already compromised account.  Do not cut and paste the link into your browser and just directly navigate to the content. Find the content directly if it is important.  You can live without another cat video.  Be vigilant about this. 

If an email is asking you to change your password, does it seem like this is the normal password change process that your organization uses regularly? If you suspect anything, call the IT organization. Call anyway.  

 In summary, we are under constant attack, but muscle memory is key.  Start with these four simple exercises. You will have big gains in your home security posture, and your confidence, and there will be huge benefits for your company if you follow this guide. If you have questions, comments, concerns, or, if you were looking for a checklist for higher complexity environments, please submit to QA Consultant’s website:

https://qaconsultants.com/contact-us/ (Did you click the link or type it in your browser?)

A video of this presentation can be found and shared with your organization at this link:

https://qaconsultants.com/solutions-and-services/security-testing/

QA Consultants is North America’s largest independent software quality assurance services firm. QAC is 100% focused on software QA and security, delivering services onshore primarily through their Toronto TestFactoryTM. QAC’s services cover the full spectrum of software testing including functional (manual and automated) testing, performance engineering and testing, accessibility, audit/advisory, application security vulnerability, among other QA disciplines. QAC has a robust Emerging Tech practice that is predominately funded by the Canadian government for leading-edge research on QA for connected and autonomous vehicles, AI, and blockchain. With over 26 years of experience, market leading IP, and 10,000 engagements delivered, QA Consultants has consistently proven that independent QA is cost effective, value based, and efficient. QAC has deep domain expertise in banking and financial services, Retail, Government, Software/Tech, and Transportation. For more information, please visit www.qaconsultants.com.